EP3428830A1 - Jetons d'identification à microcontrôleur protégé - Google Patents

Jetons d'identification à microcontrôleur protégé Download PDF

Info

Publication number
EP3428830A1
EP3428830A1 EP18182580.3A EP18182580A EP3428830A1 EP 3428830 A1 EP3428830 A1 EP 3428830A1 EP 18182580 A EP18182580 A EP 18182580A EP 3428830 A1 EP3428830 A1 EP 3428830A1
Authority
EP
European Patent Office
Prior art keywords
microcontroller
application
token
protected
communication interface
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
EP18182580.3A
Other languages
German (de)
English (en)
Other versions
EP3428830B1 (fr
Inventor
Frank Morgner
Micha KRAUS
Paul Bastian
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Bundesdruckerei GmbH
Original Assignee
Bundesdruckerei GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bundesdruckerei GmbH filed Critical Bundesdruckerei GmbH
Publication of EP3428830A1 publication Critical patent/EP3428830A1/fr
Application granted granted Critical
Publication of EP3428830B1 publication Critical patent/EP3428830B1/fr
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/74Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • G06F21/83Protecting input, output or interconnection devices input devices, e.g. keyboards, mice or controllers thereof
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K19/00Record carriers for use with machines and with at least a part designed to carry digital markings
    • G06K19/06Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code
    • G06K19/067Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components
    • G06K19/07Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components with integrated circuit chips
    • G06K19/0716Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components with integrated circuit chips at least one of the integrated circuit chips comprising a sensor or an interface to a sensor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan

Definitions

  • the invention relates to an ID token having a sensor, a communication interface and a first microcontroller, the ID token comprising a protected second microcontroller having at least one microcontroller communication interface arranged in a receptacle of the ID token, the microcontroller communication interface having a data input and provides a data output.
  • the invention relates to a method for checking measurement data of the sensor of an ID token according to the invention and to a system which has such an ID token according to the invention and a reading device with a Communication interface for data exchange with the communication interface of the ID token includes.
  • the present patent application is a divisional application to the parent application PCT / EP2016 / 080750 whose disclosure is fully incorporated in the present divisional application.
  • ID tokens for identifying or authenticating a holder of the corresponding ID token are known from the prior art, for example in the form of documents such as identity cards and passports, but also access cards which are intended to allow a particular person access to a security area, for example. or signature cards that can be used to sign an electronic document.
  • the corresponding documents can not necessarily only be used by the person for whom the ID tokens are provided.
  • the identity of the user is defined solely by the ID token used. For example, any foreign person may use a found ID token, such as an access card, to gain access to a locked area.
  • a solution to this problem for example, provides an additional authentication process in which the user of the ID token an additional security attribute, such as a PIN or a biometric feature, is queried, which does not result from the ownership of the ID token. For example, the user of the ID token is requested to enter a corresponding additional security attribute on a terminal or another external device.
  • an additional security attribute such as a PIN or a biometric feature
  • Another problem in the prior art is potential manipulation attempts on the ID token.
  • an unauthorized person may attempt to gain access to the attributes stored on the ID token for authentication by means of appropriate manipulations on the ID token.
  • An example scenario would be an unauthorized third party that replaces an additional security attribute of the ID token's authorized user stored on the ID token, such as a PIN or biometric feature, with a self-selected security attribute, such as a new PIN or biometric Feature of an unauthorized user. Despite the added security attribute, there is a risk of abuse.
  • the terminal or other external device is subject to the risk of a possible skimming attack.
  • the user can not understand from the outside whether manipulations were made on the input device, with which an attacker can cut / listen to the additional features.
  • the EP 2 575 084 A1 describes techniques to enter a secret into a security token using an embedded tactile sensor user interface to verify the secret against a stored representation of the same secret.
  • a tactile scanning user interface is set up to receive a user-coded secret.
  • a decoding unit is arranged to generate a decoded secret by decoding the user-encoded secret.
  • a comparison unit is arranged to compare the decoded secret with a copy of the secret stored in the token to verify the authenticity of a user. This provides the security token with matching functionality on a map.
  • the present invention is based on the object of preventing the problem described above of an illegal use of an ID token.
  • An "ID token” is to be understood here in particular as a portable electronic device which has at least one protected electronic data memory for storing attributes and a communication interface for reading out the attributes.
  • the memory area is protected in order to prevent the attribute stored in the memory area from being altered in an unauthorized manner or read out without the required authorization. In other words, the memory area can only be accessed if an access authorization required for this purpose is given.
  • the ID token can be a USB stick or a document, in particular a value or security document, for example in the form of a chip card.
  • a "document” is understood to mean paper-based and / or plastic-based documents, such as electronic identity documents, in particular passports, identity cards, visas and driving licenses, vehicle registration documents, vehicle documents, company identity cards, health cards or other ID documents as well as chip cards, in particular an access card or Signature card, means of payment, in particular banknotes, bank cards and credit cards, waybills or other credentials, in which a data memory for storing at least one attribute is integrated.
  • the ID token can be a hardware token or a soft token if it is cryptographically bound to a hardware token, that is, for example, to a so-called secure element.
  • a cryptographically bound to a secure element soft token according to DE 10 2011 082 101 be generated.
  • An “attribute” is generally understood to mean a data value, for example a number or a text.
  • the attribute may be an indication of the identity of a user to whom the ID token is associated, particularly as to its so-called digital identity.
  • the name, first name, address of the user can represent attributes.
  • an “attribute” is understood in particular as meaning data relating to the user of the ID token or the ID token itself, in particular personalization data, such as personal data of the user, a period of validity or the issuer of the ID token or payment information, such as credit card information or other data for an electronic payment system.
  • An attribute may also include data used to verify the user's eligibility to use a particular online service, such as the age of the user, if they would like to use an online service reserved for a particular age group or otherwise Attribute that documents the affiliation of the user to a particular group that is authorized to use the online service.
  • An "attribute” may also designate a data value that includes an access authorization to an access-restricted security system.
  • the attribute may also indicate a particular group membership, with access to the access restricted backup system dependent on said group membership.
  • a "reader” is understood here as an electronic device which allows read access and also write access to the ID token, in particular a terminal, for example in the form of a so-called chip card terminal.
  • the reading device may form an integral part of a user computer system or be implemented as a separate component, for example as a peripheral device of the user computer system.
  • the reader may be a so-called class 1, 2 or 3 chip card reader.
  • the reader can be equipped with a contactless and / or contact interface for data exchange with an ID token.
  • a “microcontroller” or system-on-a-chip (SoC) is understood here as a semiconductor chip which comprises at least one processor, a communication interface and a memory.
  • a “protected microcontroller” refers to a microcontroller with physically limited accessibility.
  • a protected microcontroller here means a microcontroller with exactly one communication interface for contact-type communication with external elements, the communication interface providing exactly one data input and one data output.
  • a protected microcontroller may have additional measures against abuse, in particular against unauthorized access to data in the memory of the microcontroller.
  • a protected microcontroller includes sensors for monitoring the state of the microcontroller as well as its environment in order to detect deviations from normal operation, which may indicate manipulation attempts.
  • Corresponding sensor types include, for example, a clock frequency sensor, a temperature sensor, a voltage sensor, and / or a light sensor.
  • Clock frequency sensors, temperature sensors and voltage sensors detect, for example, deviations of the clock frequency, temperature and / or voltage up or down from a predefined normal range.
  • a protected microcontroller may include a nonvolatile electronic memory with a protected memory area.
  • a protected microcontroller may include means for cryptographic backup, such as a random number generator, a cryptographic key generator, a hash generator, a encryption / decryption module, a signature module, certificates, and / or one or more non-migratable cryptographic keys, such as a so-called Endorsement Key, Storage Root Key and / or Attestation Identity Keys.
  • means for cryptographic backup such as a random number generator, a cryptographic key generator, a hash generator, a encryption / decryption module, a signature module, certificates, and / or one or more non-migratable cryptographic keys, such as a so-called Endorsement Key, Storage Root Key and / or Attestation Identity Keys.
  • nonvolatile electronic memory is understood here as a memory for storing data, in particular attributes, which is also referred to as non-volatile memory (NVM).
  • NVM non-volatile memory
  • this may be an EEPROM, for example a flash EEPROM, referred to as flash for short.
  • a "protected memory area” is understood here as meaning an area of an electronic memory to which access, that is to say a read access or a write access, is only made possible by a processor coupled to the memory if a condition required for this purpose is fulfilled. This may be, for example, a cryptographic condition, in particular a successful authentication and / or a successful authorization check.
  • the memory may be configured so that access to the protected memory area is possible only via the coupled processor.
  • a "protected memory area" of an ID token is understood to be an electronic memory in which data are stored, such as an attribute and / or a data structure, which are only read, deleted or changed by a reading device from the electronic memory if the reader has authenticated against the ID token and / or has demonstrated its eligibility to read, erase and / or write that data to the ID token, for example by means of an authorization certificate specifying such rights of the reader ,
  • the electronic memory may be an EEPROM, in particular a flash EEPROM.
  • a "processor” is here understood to mean a logic circuit which serves to execute program instructions.
  • the logic circuit may be implemented on one or more discrete components, in particular on a chip.
  • a “communication interface” here means an interface via which data can be received and transmitted, wherein the communication interface can be configured to be contact-based or contactless, for example according to an RFID and / or NFC standard.
  • An "application” is understood here without limitation to any type of computer program which comprises machine-readable instructions for controlling a functionality of the ID token.
  • proxy is meant herein a switching element configured to establish a data connection between a receiver and a transmitter of data and to switch to one or more other data connections which connect the same receiver or transmitter to another transmitter or receiver.
  • a “sensor” is understood here as an element for acquiring measured data.
  • Measurement data are data which qualitatively or quantitatively reproduce physical or chemical properties of a measurement object, such as heat quantity, temperature, humidity, pressure, sound field parameters, brightness, acceleration, pH value, ionic strength, electrochemical potential, and / or its material nature. Measurement data are recorded by means of physical or chemical effects and converted into an electronically processed electrical signal.
  • sensors also include elements for detecting information input, such as a keyboard, keypad, mouse, touch screen, and / or gesture capture elements.
  • An "encrypted end-to-end connection” is understood here as meaning a connection between a sender and a receiver with an end-to-end encryption in which data to be transmitted is encrypted by the sender and first decrypted by the receiver.
  • the encryption of transmitted data is thus carried out across all transmission stations, so that intermediate stations can not learn about the content of the transmitted data due to the encryption.
  • the connection is cryptographically secured by the encryption in order to prevent spying and / or manipulation of the transmission, for which purpose a so-called secure messaging method can be used.
  • a method for establishing such an encrypted end-to-end connection between an ID token and a reader is described, for example, in the German patent application 10 2015 202 308.7 described.
  • a “certificate” here means a digital certificate, which is also referred to as a public-key certificate.
  • a certificate is structured data that serves to associate a public key of an asymmetric cryptosystem with an identity, such as a person or device.
  • certificates based on zero-knowledge cryptosystems are also possible.
  • the certificate may conform to the standard X.509 or another standard.
  • the certificate is a Card Verifiable Certificate (CVC).
  • the certificate may specify for which attribute or attributes of the user stored in the protected memory area of the ID token a reader is authorized to perform a read access. Furthermore, the respective write permissions for attribute specifications or attributes in a certificate can also be defined. Such a certificate is also called an authorization certificate. Furthermore, a certificate can specify whether an authentication with the on-chip sensors may be initiated by the terminal.
  • An "Application Protocol Data Unit” is a communication unit of communication between a smart card and an IC card application according to the ISO 7816 standard.
  • An APDU is an application-level communication unit, which corresponds to layer 7 in the OSI layer model. It is possible to differentiate between command APDUs and response APDUs. Command APDUs transmit commands to the smart card, while the response APDUs transmit the chip card responses to appropriate commands.
  • the structures of command APDU and response APDU are defined in ISO 7816-4.
  • a command APDU consists of a header with header data and an optional body with user data, ie commands.
  • a response APDU consists of an optional body with user data, the response data of the command, and a mandatory trailer.
  • the financial statements provide information about the successful execution of the command or the type of error that prevented or interrupted the processing.
  • the payloads are each encrypted, whereas the header data remains unencrypted to ensure correct assignment and execution of the APDUs.
  • a communication based on a "master” / "slave" ratio between two or more subscribers is understood to be a data exchange in which exactly one subscriber assumes the role of the master and all other subscribers assume the role of slaves.
  • the communication takes place using a question and answer protocol, in which only the master as the sole participant has the authorization to initiate a data transmission on its own, i. to send a corresponding request to one of the slaves, whereas the slaves can only respond to requests with answers, but without the ability to actively intervene in the communication or initiate such.
  • a “logical channel” is understood to mean a local connection between two data terminal devices or network nodes, whereby a logical channel is realized by channel addresses in the transmitted data packets.
  • Each channel is assigned a "context" that defines a state and / or application of the destination data terminal or destination network node.
  • Embodiments may have the advantage of providing effective protection against misappropriation of the ID token.
  • an ID token according to the invention offers the possibility of checking the presence of additional security attributes by means of the sensor and, on the other hand, it allows the use of a protected microcontroller, which is configured, for example, to be encrypted to communicate with a reader and at the same time a high degree of accessibility Security offers.
  • the memory of the second microcontroller comprises a protected memory area in which at least one attribute of the ID token is stored.
  • the comparison data are stored in the protected memory area of the memory of the second microcontroller.
  • the ID token comprises a plurality of sensors.
  • Embodiments may have the advantage that the use of a sensor integrated in the ID token prevents manipulation of the sensor, for example for a skimming attack.
  • the proxy configured first microcontroller allows switching between a data connection of the protected second microcontroller to one or more sensors of the ID token and a data connection of the second microcontroller to the reader.
  • the first microcontroller for this purpose has a plurality of communication interfaces which provide a plurality of data inputs and data outputs.
  • the sensor offers the possibility to include additional external security attributes for authentication and / or authorization checks. These security attributes may relate to the identity of the user of the ID token, for example in the case of a fingerprint sensor, or knowledge of the user, such as a PIN keypad for entering a PIN known only to the user, or environmental parameters such as a temperature sensor or a temperature sensor GPS receivers are provided.
  • the memory of the protected second microcontroller comprises comparison data for the measurement data to be acquired by the sensors in a permitted predefined application scenario. If the recorded measurement data agree with the comparison data, the assumption is based on a permissible application scenario.
  • Such an application scenario is, for example, the use of the ID token by a person with a specific identity, by a person with specific knowledge and / or a use of the ID token at a specific location.
  • the ID token or the two applications of the protected second microcontroller can be configured to notify the reading device of the result of the comparison check and / or to transmit requested data only after a successful comparison check, or to execute received commands only after a successful comparison check.
  • the second application is configured to establish a connection with the reader in the form of an encrypted end-to-end connection and to output the data specified by a read command of the reader via the encrypted end-to-end connection via the encrypted end-to-end connection encrypted APDUs are transmitted.
  • Embodiments may have the advantage that the data exchange between reader and ID token, in particular the interrogation of one or more attributes, can be effectively protected against unauthorized access, such as attempts of recording or listening.
  • the configuration of the first microcontroller as a proxy allows a query of measurement data of the sensor by switching the data connections despite the encryption of the data transmitted over the encrypted end-to-end connection.
  • Embodiments may have the advantage that when querying a particular application, such as the first application, measurement data from the first microcontroller are requested as a precaution so that they are available to the protected second microcontroller in case of need and the requested application can fall back on this despite limited Access to the second microcontroller and a non-visible from the outside encrypted austauch with the requesting reader. This applies even in the case of operation of the second microcontroller as a slave to a master operated as the first microcontroller.
  • the first request of the connection establishment reader is a request to establish an encrypted end-to-end connection.
  • Embodiments may have the advantage that measurement data are requested as a precautionary measure only if there are indications that they are actually involved in the communication about the encrypted end-to-end connection to be established.
  • the unencrypted message is a certificate which entitles the reader to check the measurement data acquired by the sensor by means of the first application.
  • Embodiments may have the advantage that measurement data are only requested as a precaution when a requesting reader also has the authorization to access these measurement data. If this is not the case, it is not necessary to provide the measured data, whether requested or not.
  • the first microcontroller is configured to receive, cache and forward all messages sent from the reader to the second application in the course of setting up the encrypted end-to-end connection, all messages cached again being forwarded to the forwarding of the measurement data the second application will be forwarded.
  • Embodiments may have the advantage that, if the connection setup is interrupted, it can be efficiently resumed even if the build status achieved so far has been lost due to the interruption.
  • Embodiments may have the advantage that the measurement data is only requested if it is actually queried.
  • two logical channels ensures that the established encrypted end-to-end connection is not interrupted, but can persist when switching to another channel, without hindering the transmission of the measured data.
  • the analysis of the header data allows encryption to be maintained, thereby increasing security but still allowing the first microcontroller to detect a query of sensor measurement data.
  • the data transmission over the first logical channel is interrupted during transmission of the measurement data on the second logical channel and continues after completion of the measurement data transmission, but the first logical channel remains during the interruption.
  • the switching is controlled by the first microcontroller, which acts as a master, for example, while the protected second microcontroller assumes the role of a slave.
  • the at least one microcontroller communication interface of the protected second microcontroller is a contact-type communication interface.
  • Embodiments may have the advantage that monitoring and / or recording of transmitted data is made more difficult and security is thus increased.
  • the protected second microcontroller comprises exactly one microcontroller communication interface.
  • Embodiments may have the advantage of effectively minimizing the physical accessibility of the protected second microcontroller and thus increasing security.
  • the first microcontroller is configured to exchange data contactlessly with a reader via the communication interface of the ID token.
  • Embodiments may have the advantage of simplifying the use of the ID token and not having to first contact the reader.
  • the checking process of the ID token can be accelerated since the bringing into contact is omitted.
  • this allows the ID token to be held without restrictions in such a way that one of the sensors is optimally aligned to acquire the measured data.
  • the ID token may be held so that a fingerprint sensor of the ID token is easily accessible to the user with his fingers.
  • the positioning possibilities of the ID token are limited by the required contact.
  • the first microcontroller is configured to exchange data via the communication interface of the ID token in contact with a reader.
  • Embodiments may have the advantage that monitoring and / or recording of transmitted data is made more difficult and security is thus increased.
  • the second application comprises the first application.
  • Embodiments may have the advantage that the functionality of the first and second applications on the protected second microcontroller are combined or integrated in a common application.
  • the second application natively includes the functionality of the first application or vice versa, whereby no separate implementation of this functionality is necessary in a separate, independent application.
  • the first and second applications are separate, stand-alone applications.
  • Embodiments may have the advantage that all applications that want to request further features forward these requests to a central application, ie the first application, and thus only this one central application takes over the administration and verification.
  • the measurement data is one or more biometric features, a PIN, acceleration data, GPS coordinates, and / or temperature data.
  • Embodiments may have the advantage that biometric features, such as fingerprints or a frequency pattern of the voice, may be used to verify the identity of the actual user of the ID token.
  • a PIN verifies that the user has the necessary knowledge for the legitimate use of the ID token.
  • acceleration data may be used to identify the user based on motion patterns.
  • the location of the ID token can be determined via the GPS coordinates.
  • the temperature can be used to check environmental conditions, for example, to determine the actual location of the use of the ID token.
  • the ID token has a plurality of different sensors for detecting a plurality of different measurement data, with which the first microcontroller is connected for data exchange, wherein the first application is configured, the measurement data of each sensor with comparison data, which in a memory of the second Microcontrollers are stored, compare and forward the comparison results to the second application.
  • Embodiments may have the advantage that a complex usage scenario may be defined in which use of the ID token is allowed.
  • a complex usage scenario for example, a plurality of different measurement data acquired by means of different sensors must be correct, ie match predefined comparison data.
  • graded security levels can be defined. For easy access to a building and / or computer system, knowing a PIN may be sufficient For a legally binding digital signature, this knowledge may be necessary in conjunction with confirmation of the identity of the user about one or more biometric features.
  • the first microcontroller is configured as master and the protected second microcontroller as slave.
  • Embodiments may have the advantage that they increase security, since the safety-sensitive second microcontroller can not actively intervene in the communication. Therefore, the second microcontroller can not be manipulated to transmit inadmissible data by itself.
  • the second microcontroller is physically protected by one or more of the following: a clock frequency sensor, a temperature sensor, a voltage sensor, and / or a light sensor.
  • Embodiments may have the advantage that these sensors provide an effective way to monitor the state of the second microcontroller as well as its environment and thus allow early detection of physical manipulation attempts.
  • the second microcontroller is cryptographically protected by one or more of the following: a random number generator, a cryptographic key generator, a hash generator, a encryption / decryption module, a signature module, one or more certificates, and / or one or more non-migratable cryptographic Key.
  • Embodiments may have the advantage that both the data storage and the data transfer by means of the second microcontroller satisfy high cryptographic security requirements.
  • the microcontroller communication interface of the protected second microcontroller is hardwired to the first microcontroller.
  • Embodiments may have the advantage that an expansion of the protected second microcontroller from the ID token for manipulation purposes is made more difficult.
  • the wiring may be configured such that a nondestructive expansion in which the microcontroller communication interface remains functional is prevented.
  • the protected second microcontroller is configured as a replaceable module and the receptacle of the ID token as a plug-in connection for the module, wherein the microcontroller communication interface of the protected second microcontroller is releasably contacted to the first microcontroller.
  • Embodiments may have the advantage that the ID token may be used as a platform for use with various protected second microcontrollers. In particular, this increases the compatibility with developments of the protected microcontroller and also allows a standardized mass production.
  • the ID token has an output device to which the first microcontroller is connected for data exchange.
  • Embodiments may have the advantage of facilitating operation of the ID token and providing instructions for using the sensors as well as information about the usage state of the ID token. This is particularly advantageous in a plurality of sensors.
  • Corresponding output device may be, for example, a display or LEDs.
  • the sensor can also be integrated in an output device, such as in a pressure-sensitive display.
  • the invention relates to a system comprising an ID token according to one of the preceding claims and a reading device with a communication interface for data exchange with the communication interface of the ID token, wherein the reading device is configured to connect to the second application of the set up protected second microcontroller and send via the established connection APDUs to the second application and / or receive from the second application.
  • Embodiments may have the advantage of providing a system for efficiently and securely checking access authorization, securely processing payment transactions, and / or securely digitally signing electronic documents.
  • the reader is for example part of a device for access control, a terminal and / or a user computer system.
  • Embodiments may have the advantage of providing a method for verifying measurement data of the sensor of an ID token, which at the same time provides effective protection against misappropriation of the ID token.
  • connection established between the reader and the second application is an encrypted end-to-end connection, wherein the encrypted end-to-end connection exchanges encrypted APDUs in the form of encrypted command APDUs and encrypted reply APDUs.
  • Embodiments may have the advantage of providing data transmission protected against eavesdropping and / or snooping attempts.
  • unencrypted messages are exchanged between the reader and the second application via the communication interface of the ID token.
  • the request for setting up the connection between the reader and the second application of the protected second microcontroller is buffered by the first microcontroller, wherein the provision of the comparison result for the acquired measurement data is based on the reception of the request and the cached request for the forwarding of acquired measurement data is forwarded by the first microcontroller towards the second application.
  • Embodiments may have the advantage that measurement data are provided as a precaution, so that the protected second microcontroller can have or access it as needed.
  • unencrypted messages for establishing the connection received by the first microcontroller are received by the first microcontroller, wherein the first microcontroller analyzes the cached unencrypted messages, interrupts the forwarding of the corresponding message upon detecting a reference to measurement data acquired by the sensor in an unencrypted message and the provision of the comparison result for the acquired measurement data caused, already forwarded cached messages on the forwarding of the acquired measurement data through the first microcontroller back to the second application are forwarded again and the interrupted forwarding is continued.
  • Embodiments may have the advantage that measurement data are provided as a precautionary measure only when it is foreseeable that with a certain probability they will actually be required.
  • the analyzed message is a certificate of the reader and the measurement data is only provided if the reader also has the necessary authorization to access this measurement data.
  • sending and receiving encrypted APDUs by the protected second microcontroller on a first logical channel wherein the first microcontroller analyzes the unencrypted header data of received command APDUs, is responsive to detecting a reference to measurement data acquired by the sensor in the unencrypted header data of an encrypted one Command APDU out the forwarding of the corresponding command APDU interrupts and causes the provision of the comparison result for the acquired measurement data, the detected measurement data are forwarded to the first application on a second logical channel, wherein the forwarding of the acquired measurement data by the first microcontroller the interrupted transmission on the first logical channel is continued via the second logical channel.
  • Embodiments may have the advantage of providing measurement data only when needed. However, an efficient provision is made possible despite the encryption of the APDUs and the limited access to the protected second microcontroller.
  • each of the logical channels is assigned a context of the protected second microcontroller, and the second microcontroller is configured to switch between the individual contexts, depending on which logical channel the communication with the first microcontroller takes place.
  • Embodiments of the invention could have the advantage that the encrypted end-to-end connection between the reader and the second application can be maintained while interrogating, transmitting and comparing the measurement data.
  • FIG. 12 shows a schematic block diagram of an exemplary inventive ID token 10 in combination with a reader 20, which together form a system 100 according to the invention.
  • the ID token 10 includes first and second microcontrollers 40, 50.
  • the first microcontroller 40 is configured to communicate by means of an antenna module 30, which includes an antenna, in contactless communication with the reader 20, ie, to exchange data.
  • the reader 20 is provided with an antenna 22.
  • the first microcontroller 40 includes a processor 42 and a memory 44.
  • the memory 44 includes machine-readable instructions that, when executed by the processor 42, cause the first microcontroller 40 to control the communication of the protected second microcontroller 50 with the reader 20 as well as the sensors 70, 72 and the output devices 80, 82 ,
  • the ID token 10 includes the aforementioned sensors 70, 72, which are, for example, a fingerprint sensor 70 and a PIN keypad 72.
  • Embodiments may also be other known types of sensors, such as a microphone, a gyroscope, an acceleration sensor, a GPS receiver, and / or a thermometer. According to embodiments, however, these sensors may also be provided in addition to the two sensors 70, 72.
  • the ID token 10 includes output devices such as a display 80 and LEDs 82.
  • the display 80 may be driven by the first microcontroller 40 to prompt the user of the ID token 10 to place one or more fingers on the fingerprint sensor 70 or enter a PIN via the PIN keypad 72.
  • the LEDs 82 may signal to the user that the sensors 70 and / or 72 are ready for use and / or that a fingerprint has been completely detected or a PIN has been completely entered and / or that an error has occurred. This may be indicated, for example, by different colors in which the LEDs 82 are lit. According to embodiments, the ID token 10, and in particular the LEDs 82, may also be configured to indicate when the result of the data comparison performed by the first application 56 of the protected second microcontroller 50 is positive.
  • the ID token 10 includes a receptacle 60 for a second microcontroller, in which a protected second microcontroller 50 is arranged.
  • the second microcontroller 50 is protected on the one hand by having only a single contact microcontroller communication interface 59 for communicating or exchanging data with external elements, ie the first microcontroller 40, wherein the microcontroller communication interface 59 has exactly one data input and one data output.
  • the second microcontroller 50 may be protected physically and cryptographically.
  • Example includes the microcontroller 50 according to embodiments, a clock frequency sensor, a temperature sensor, a voltage sensor, and / or a light sensor.
  • the microcontroller 50 for cryptographic protection comprises, for example, a random number generator, a cryptographic key generator, a hash generator, a encryption / decryption module, a signature module, one or more certificates and / or one or more non-migratable cryptographic keys.
  • the protected second microcontroller 50 comprises a processor 52 and a memory 54 with a first and a second application 56, 58.
  • the memory 54 comprises the comparison data (not shown) for the measurement data of the sensors 70, 72.
  • the comparison data may for example be fingerprints or characteristic feature specifications of fingerprints of one or more users associated with the ID token 10.
  • the comparison values may include one or more PINs.
  • the PINs may be stored as a cipher on the memory 54, so that it is necessary to either cipher the acquired measurement data for comparison with the ciphers or to decipher the stored ciphers.
  • the memory 54 may be a protected memory according to embodiments.
  • the memory 54 can be accessed, for example, only if an access authorization required for this purpose is given.
  • the memory 54 can be accessed only via the processor 52.
  • the first application 56 includes machine-readable instructions that cause the second microcontroller 50, when executed by the processor 52, to cause the acquired measurement data of the sensors 70, 72 to be forwarded to the first application 56 by the first microcontroller 40 to compare stored in the memory 54 comparison values.
  • the comparison results are transmitted from the first application 56 via an inter-applet communication (IAC) to the second application 58.
  • the first application 56 may also be integrated in the second application 58.
  • the second application 58 is configured to establish an encrypted end-to-end connection with the reader 20.
  • the encrypted end-to-end connection is encrypted APDUs exchanged between the reader 20 and the second application 58.
  • the reader 20 sends, for example, command APDUs to the second application 58, to which this responds in each case with a corresponding response APDU.
  • the ID token 10 may include a power source (not shown) configured to power at least the sensors 70, 72 and the display devices 80, 82.
  • the energy source may be, for example, a battery or an apparatus for "energy harvesting".
  • piezoelectric crystals, thermoelectric generators or the like can be used.
  • the reader 20 comprises a cryptographic circuit 24, which is configured to contactlessly communicate with the first microcontroller 40 of the ID token 10 by means of an antenna 22.
  • the reader 20 may be a RIFD reader.
  • the communication between the reader 20 and the ID token 10 according to the standard ISO 14443 can be done wirelessly with a frequency of 13.56 MHz.
  • the reader 20 may be part of an access control system, for example, where a user must switch an access control device to a release state by means of the ID token 10 in order to gain access.
  • an attribute is stored in the protected memory 54 of the protected second microcontroller 50, which is to be read by the reading device 20 and compared with a comparison attribute. Only if the attribute read out from the protected memory area 54 matches and the comparison attribute of the reader 20 is the access control device switched to a release state.
  • an identification of the user by means of a biometric feature such as a fingerprint and / or the knowledge of a PIN is required as an entry requirement.
  • the user has to record his fingerprint via the fingerprint sensor 70 and / or enter a PIN via the PIN keypad 72.
  • the measured data acquired by the sensors 70, 72 are transmitted via the first Microcontroller 40 forwarded to the first application 56 of the protected second microcontroller 50.
  • the first application 56 is executed by the processor 52 and compares the acquired measurement data with the comparison data stored in the protected memory 54.
  • the comparison result is transmitted to the second application 58 by the first application 56 through an inter-applet communication and forwarded to the reader 20 via the encrypted end-to-end connection. Only with a positive comparison result, the access control device is switched to a release state.
  • the comparison result is not communicated to the reader 20, but the second application 58 is configured such that the attribute requested by the reader 20 is transmitted to the reader 20 only on condition that the comparison result is positive.
  • FIG. 12 shows a flow chart for a first exemplary method for operating the ID token 10 according to the invention FIG. 1 ,
  • the first microcontroller 40 receives, by means of the antenna module 30, a first request directed at the second application 58 of the protected second microcontroller 50 for setting up an encrypted end-to-end connection.
  • the received request is buffered by the first microcontroller 40 and their forwarding is interrupted.
  • the first microcontroller 40 sends in block 202 a second request for acquiring measurement data to the fingerprint sensor 70 and / or the PIN keypad 72.
  • the user is prompted via the display 80, for example, a finger on the fingerprint sensor 70 to arrange and / or enter a PIN via the PIN keypad 72.
  • the corresponding measurement data are detected by the sensors 70, 72 and transmitted in block 204 to the first microcontroller 40, which forwards them to the first application 56 via the one microcontroller communication interface 59.
  • the first application 56 compares the acquired measurement data with the comparison data stored in the memory 54.
  • the comparison result is in block 208 from the first application 56 to the second application 58 of the protected second microcontroller 50, for example by a Inter-applet communication, transmitted and thus made available.
  • the transfer may occur immediately after completion of the comparison, or the first application 56 may cache the comparison results and transmit the second application 58 as needed, eg, upon request.
  • the acquisition, forwarding and processing of measurement data is thus always carried out when the reader 20 attempts to read out the protected second microcontroller 50, ie initiates a connection setup with the second application 58. This is the case regardless of whether or which of the acquired measurement data is actually needed later in the course of the communication between the reader 20 and the second application 58.
  • the first request for setting up the encrypted end-to-end connection from the first microcontroller 40 to the second application 58 is forwarded in block 210.
  • the first microcontroller 40 is configured as a proxy that switches between the forwarding of the first request and the forwarding of measurement data and thus the data stream from different physically separate data sources, ie the reader 20 and the sensors 70, 72, to the protected second microcontroller 50 controls.
  • the encrypted end-to-end connection is established, for example, by the exchange of certificates and / or cryptographic keys between the reader 20 and the second application 58.
  • the connection is established, for example, according to the German patent application 10 2015 202 308.7 described protocol.
  • encrypted APDUs are sent between the reader 20 and the second application 58 via these encrypted APDUs.
  • an encrypted command APDU is sent from the reader 20 to the second application 58, which is received and forwarded on its transmission path by the first microcontroller 40.
  • This encrypted command APDU may query the result of the comparison for the detected sensor data and / or query an attribute which is output only on a positive comparison result.
  • one of the second application 58 in response to the command APDU using the comparison results generated response APDU which includes, for example, the comparison results and / or a retrieved attribute received on its transmission path from the first microcontroller 40 and forwarded to the reader 20.
  • FIG. 3 shows a flowchart for a second exemplary method for operating the ID token 10 according to the invention FIG. 1 ,
  • the encrypted end-to-end connection is established, for example, by the exchange of certificates and / or cryptographic keys between the reader 20 and the second application 58.
  • the messages sent by the reader 20 to the second application 58 and their responses become
  • the first microcontroller 40 which receives and forwards them, caches and analyzes them. For example, certain predefined key terms or functionalities related to the measurement data of the sensors 70, 72 are searched for.
  • the first microcontroller 40 receives a certificate from the reader 20. The content of this certificate is analyzed and if it relates to the measurement data of the sensors 70, 72, this reference is detected in block 304.
  • Such a reference may, for example, be an authorization to access the corresponding measurement data.
  • connection setup continues by forwarding the analyzed message, otherwise the forwarding is temporarily suspended and connection establishment is thus interrupted in block 306. Even if the connection setup continues, the analyzed messages of embodiments remain cached on the first microcontroller 40 until completion of the connection setup.
  • the analyzed message is, for example, a certificate of the reader 20.
  • the collection, forwarding, processing and provision of the measurement data to which the analyzed certificate refers are carried out.
  • the blocks 308 to 314, which relate to the detection, forwarding, processing and provision of the measurement data of the sensors 70, 72, are analogous to the blocks 202 to 208 of the method according to FIG. 2 .
  • the one communication interface 59 of the second microcontroller 50 is used for transmitting the measurement data while the transmission of messages for establishing the encrypted end-to-end connection is suspended.
  • measurement data of the fingerprint sensor 70 and / or the PIN keypad 72 is detected.
  • the suspended connection setup Upon passing the acquired measurement data through the first microcontroller 40 in block 310, the suspended connection setup continues in block 316. For this purpose, it is necessary according to embodiments to redirect the data forwarded to date by the first microcontroller 40 and still stored thereon. In particular, the interruption of the parsed certificate interrupted in block 306 is continued.
  • encrypted APDUs are exchanged between the reader 20 and the second application 58 in block 318. This includes, for example, receiving and sending command and response APDUs analogous to blocks 214 and 216 of FIG. 2 ,
  • FIG. 4 shows a flowchart for a third exemplary method for operating the ID token 10 according to the invention FIG. 1 ,
  • an encrypted end-to-end connection is established between the reader 20 and the second application 58.
  • the transmission of encrypted APDUs to the protected second microcontroller 50 takes place via its contact-based microcontroller communication interface 59 on a first logical channel.
  • the first logical channel is assigned a first context of the protected second microcontroller 50.
  • an encrypted command APDU sent by the reader 20 is received by the first microcontroller 40.
  • the first microcontroller 40 does not have access to the encrypted user data of the command APDU, but to its unencrypted header data. These header data are analyzed, for example, with a predefined search mask.
  • a reference to measurement data of the sensors 70, 72 is detected, For example, access to the corresponding measurement data.
  • communication is paused over the first logical channel.
  • the analyzed and on the first microcontroller 40 cached command APDU is not forwarded for the time being.
  • the first microcontroller 40 switches over and establishes a connection between the fingerprint sensor 70 and / or the PIN keypad 72 on the one hand and the first application 56 of the protected second microcontroller 50 on the other hand by requesting measurement data and on a second logical channel to the protected second Microcontroller 50 transmits.
  • the second logical channel is assigned a second context of the protected second microcontroller 50.
  • the protected second microcontroller 50 is configured to switch between the different contexts depending on which logical channel is being communicated.
  • the first microcontroller 40 acts as a master, the protected second microcontroller 50 as a slave.
  • the blocks 408 to 414 which relate to the detection, forwarding, processing and provision of the measurement data of the sensors 70, 72, are analogous to the blocks 202 to 208 of the method according to FIG FIG. 2 ,
  • the first microcontroller 40 Upon forwarding the acquired measurement data via the second logical channel in block 410, the first microcontroller 40 changes back to the paused first logical channel in block 416 and continues the encrypted communication by forwarding the cached command APDU to the second application 58 .
  • the second application 58 On the command APDU, the second application 58 responds, for example, with a response APDU analogous to block 216 of FIG. 2 which is received by the first microcontroller 40 and forwarded to the reader 20 via the antenna 30.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)
  • Arrangements For Transmission Of Measured Signals (AREA)
EP18182580.3A 2015-12-15 2016-12-13 Token d'identification au microcontrôleur securisé Active EP3428830B1 (fr)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
DE102015225275.2A DE102015225275A1 (de) 2015-12-15 2015-12-15 ID-Token mit geschütztem Mikrocontroller
PCT/EP2016/080750 WO2017102699A1 (fr) 2015-12-15 2016-12-13 Jeton d'identification à microcontrôleur protégé
EP16819835.6A EP3391278B1 (fr) 2015-12-15 2016-12-13 Jeton d'identification à microcontrôleur protégé

Related Parent Applications (2)

Application Number Title Priority Date Filing Date
EP16819835.6A Division EP3391278B1 (fr) 2015-12-15 2016-12-13 Jeton d'identification à microcontrôleur protégé
EP16819835.6A Division-Into EP3391278B1 (fr) 2015-12-15 2016-12-13 Jeton d'identification à microcontrôleur protégé

Publications (2)

Publication Number Publication Date
EP3428830A1 true EP3428830A1 (fr) 2019-01-16
EP3428830B1 EP3428830B1 (fr) 2020-07-22

Family

ID=57681553

Family Applications (3)

Application Number Title Priority Date Filing Date
EP18182581.1A Active EP3422243B1 (fr) 2015-12-15 2016-12-13 Token d'identification au microcontrôleur securisé
EP18182580.3A Active EP3428830B1 (fr) 2015-12-15 2016-12-13 Token d'identification au microcontrôleur securisé
EP16819835.6A Active EP3391278B1 (fr) 2015-12-15 2016-12-13 Jeton d'identification à microcontrôleur protégé

Family Applications Before (1)

Application Number Title Priority Date Filing Date
EP18182581.1A Active EP3422243B1 (fr) 2015-12-15 2016-12-13 Token d'identification au microcontrôleur securisé

Family Applications After (1)

Application Number Title Priority Date Filing Date
EP16819835.6A Active EP3391278B1 (fr) 2015-12-15 2016-12-13 Jeton d'identification à microcontrôleur protégé

Country Status (4)

Country Link
US (1) US10956618B2 (fr)
EP (3) EP3422243B1 (fr)
DE (1) DE102015225275A1 (fr)
WO (1) WO2017102699A1 (fr)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2547954B (en) * 2016-03-03 2021-12-22 Zwipe As Attack resistant biometric authorised device
AT519490B1 (de) * 2016-12-30 2020-01-15 Avl List Gmbh Kommunikation eines Netzwerkknotens in einem Datennetz
DE102018202357A1 (de) * 2018-02-15 2019-08-22 Bundesdruckerei Gmbh Verfahren zum Verarbeiten eines kryptographischen Schlüssels und Prozessorchipkarte
EP3814997B1 (fr) 2018-06-29 2024-01-10 Visa International Service Association Communication à connexion de carte à puce
US12260895B2 (en) * 2021-09-01 2025-03-25 Micron Technology, Inc. Apparatus with power-based data protection mechanism and methods for operating the same

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102011082101A1 (de) 2011-09-02 2013-03-07 Bundesdruckerei Gmbh Verfahren zur Erzeugung eines Soft-Tokens, Computerprogrammprodukt und Dienst-Computersystem
EP2575084A1 (fr) 2011-09-30 2013-04-03 Nxp B.V. Jeton de sécurité et système d'authentification
US20140019746A1 (en) * 2012-07-12 2014-01-16 Sebastian J. Hans Runtime Environment Management of Secure Communications on Card Computing Devices
DE102015202308A1 (de) 2015-02-10 2016-08-11 Bundesdruckerei Gmbh Computerimplementiertes Verfahren zur Zugriffskontrolle

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1600885B1 (fr) * 2003-02-25 2010-02-10 Dai Nippon Printing Co., Ltd. Lecteur-editeur de carte sim
US7762470B2 (en) * 2003-11-17 2010-07-27 Dpd Patent Trust Ltd. RFID token with multiple interface controller
US20160267486A1 (en) * 2015-03-13 2016-09-15 Radiius Corp Smartcard Payment System and Method
US11157901B2 (en) * 2016-07-18 2021-10-26 Dream Payments Corp. Systems and methods for initialization and activation of secure elements

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102011082101A1 (de) 2011-09-02 2013-03-07 Bundesdruckerei Gmbh Verfahren zur Erzeugung eines Soft-Tokens, Computerprogrammprodukt und Dienst-Computersystem
EP2575084A1 (fr) 2011-09-30 2013-04-03 Nxp B.V. Jeton de sécurité et système d'authentification
US20140019746A1 (en) * 2012-07-12 2014-01-16 Sebastian J. Hans Runtime Environment Management of Secure Communications on Card Computing Devices
DE102015202308A1 (de) 2015-02-10 2016-08-11 Bundesdruckerei Gmbh Computerimplementiertes Verfahren zur Zugriffskontrolle

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"Smart Cards; Remote APDU structure for UICC based applications (Release 11); ETSI TS 102 226 v11.2.0", 31 January 2013 (2013-01-31), pages 2013 - 1, XP055149593, Retrieved from the Internet <URL:http://www.etsi.org/deliver/etsi_ts/102200_102299/102226/11.02.00_60/ts_102226v110200p.pdf> [retrieved on 20141029] *
"Smart Cards; Secure channel between a UICC and an end-point terminal (Release 7); ETSI TS 102 484", ETSI STANDARD, EUROPEAN TELECOMMUNICATIONS STANDARDS INSTITUTE (ETSI), SOPHIA ANTIPOLIS CEDEX, FRANCE, vol. SCP-T, no. V7.3.0, 1 January 2009 (2009-01-01), XP014042875 *

Also Published As

Publication number Publication date
EP3428830B1 (fr) 2020-07-22
US20180349647A1 (en) 2018-12-06
WO2017102699A1 (fr) 2017-06-22
EP3391278B1 (fr) 2019-11-27
DE102015225275A1 (de) 2017-06-22
EP3422243B1 (fr) 2021-08-18
EP3422243A1 (fr) 2019-01-02
EP3391278A1 (fr) 2018-10-24
US10956618B2 (en) 2021-03-23

Similar Documents

Publication Publication Date Title
EP2454704B1 (fr) Methode pour lir des attributes de un jeton d&#39;identite
EP3261011B1 (fr) Procédé de lecture d&#39;attributs à partir d&#39;un jeton d&#39;identification
EP3391278B1 (fr) Jeton d&#39;identification à microcontrôleur protégé
EP3246839B1 (fr) Contrôle d&#39;accès comprenant un appareil radio mobile
WO2014131675A1 (fr) Lecture d&#39;un attribut enregistré dans un jeton id
EP3465513B1 (fr) Authentification d&#39;utilisateur au moyen d&#39;un jeton d&#39;identification
EP4327510B1 (fr) Création d&#39;une identité électronique sécurisée par cryptographie
EP4295605B1 (fr) Authentification d&#39;utilisateur à l&#39;aide de deux éléments de sécurité indépendants
EP3206151B1 (fr) Procédé et système d&#39;authentification d&#39;un appareil de télécommunication mobile sur un système informatique de service et appareil de télécommunication mobile
EP2389644B1 (fr) Procédé de déverrouillage d&#39;une fonction de carte à puce, et lecteur de carte
EP3882796B1 (fr) Authentification de l&#39;utilisateur à l&#39;aide de deux éléments de sécurité indépendants
EP3271855A1 (fr) Procédé de génération d&#39;un certificat pour un jeton de sécurité
EP3336736B1 (fr) Jeton auxiliaire id destiné à l&#39;authentification mulifacteur
EP2752785B1 (fr) Procédé de personnalisation d&#39;un élément sécurisé (Secure Element SE) et système informatique
EP3336732B1 (fr) Authentification d&#39;utilisateur à l&#39;aide de plusieurs caractéristiques
EP2137705B1 (fr) Procédé pour transmettre les données concernant une personne à un dispositif de contrôle
EP3298526A1 (fr) Procédé de lecture d&#39;attributs à partir d&#39;un jeton d&#39;identification
EP4468652B1 (fr) Service de signature à distance utilisant un service de messagerie instantanée
WO2013050112A1 (fr) Marquage de données non sûres au moyen d&#39;un module nfc
EP4657287A1 (fr) Fourniture d&#39;une preuve d&#39;id numérique
EP4703941A1 (fr) Système, procédé et produit de programme informatique pour une communication sécurisée entre deux fichiers
DE102011079441A1 (de) Verfahren zum Schutz eines Chipkarten-Terminals gegen unberechtigte Benutzung

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN PUBLISHED

AC Divisional application: reference to earlier application

Ref document number: 3391278

Country of ref document: EP

Kind code of ref document: P

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20190716

RBV Designated contracting states (corrected)

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: GRANT OF PATENT IS INTENDED

INTG Intention to grant announced

Effective date: 20200205

GRAJ Information related to disapproval of communication of intention to grant by the applicant or resumption of examination proceedings by the epo deleted

Free format text: ORIGINAL CODE: EPIDOSDIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

GRAR Information related to intention to grant a patent recorded

Free format text: ORIGINAL CODE: EPIDOSNIGR71

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: GRANT OF PATENT IS INTENDED

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE PATENT HAS BEEN GRANTED

INTC Intention to grant announced (deleted)
AC Divisional application: reference to earlier application

Ref document number: 3391278

Country of ref document: EP

Kind code of ref document: P

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

INTG Intention to grant announced

Effective date: 20200616

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

Free format text: NOT ENGLISH

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 502016010613

Country of ref document: DE

REG Reference to a national code

Ref country code: AT

Ref legal event code: REF

Ref document number: 1294102

Country of ref document: AT

Kind code of ref document: T

Effective date: 20200815

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

Free format text: LANGUAGE OF EP DOCUMENT: GERMAN

REG Reference to a national code

Ref country code: LT

Ref legal event code: MG4D

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200722

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200722

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200722

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201022

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201022

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201123

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200722

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200722

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201023

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201122

Ref country code: RS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200722

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200722

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200722

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: NL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200722

REG Reference to a national code

Ref country code: DE

Ref legal event code: R097

Ref document number: 502016010613

Country of ref document: DE

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SM

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200722

Ref country code: IT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200722

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200722

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200722

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200722

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200722

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: AL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200722

26N No opposition filed

Effective date: 20210423

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200722

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MC

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200722

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200722

REG Reference to a national code

Ref country code: BE

Ref legal event code: MM

Effective date: 20201231

REG Reference to a national code

Ref country code: NL

Ref legal event code: MP

Effective date: 20200722

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20201213

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20201213

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LI

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20201231

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20201231

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: TR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200722

Ref country code: MT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200722

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200722

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200722

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: BE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20201231

REG Reference to a national code

Ref country code: AT

Ref legal event code: MM01

Ref document number: 1294102

Country of ref document: AT

Kind code of ref document: T

Effective date: 20211213

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: AT

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20211213

P01 Opt-out of the competence of the unified patent court (upc) registered

Effective date: 20230526

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: GB

Payment date: 20251218

Year of fee payment: 10

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: FR

Payment date: 20251218

Year of fee payment: 10

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: DE

Payment date: 20251222

Year of fee payment: 10